Abusive IP flood

Any of you are getting constantly hit with a flood from a particular IP on the DROP list?

I get daily 10k+ from this IP, looks like other people have similar complains like “27K packets a day”

Is there anything that can be done to stop the flood?

IPFire lists the country as NL, above website says it is from UA or AZ

Thanks

Hi,

[root@maverick ~]# location lookup 31.43.191.142
31.43.191.142:
  Network                 : 31.43.191.0/24
  Country                 : Netherlands
  Autonomous System       : AS210848 - Telkom Internet LTD
  Hostile Network safe to drop: yes

traceroute attempts from multiple locations strongly suggest this IP address is physically hosted in NL indeed:

 1. x
 2. x
 3. x
 4. x
 5. x
 6. AS2914   ae-4.r21.frnkge13.de.bb.gin.ntt.net (129.250.4.184)                                                                                                                                    0.0%     5    5.1   8.8   4.1  14.1   4.2
 7. AS2914   ae-7.r21.amstnl07.nl.bb.gin.ntt.net (129.250.3.77)                                                                                                                                     0.0%     5   10.4  17.8  10.4  30.4  10.0
 8. AS2914   ae-1.a00.amstnl09.nl.bb.gin.ntt.net (129.250.2.233)                                                                                                                                    0.0%     4   22.0  27.5  22.0  32.2   4.2
 9. (waiting for reply)
10. AS210848 31.43.191.142 (31.43.191.142)                                                                                                                                                          0.0%     4   11.5  14.9  11.5  24.7   6.6
 1. x
 2. x
 3. x
 4. x
 5. AS9002   ae2-8.RT.IR9.AMS.NL.retn.net (87.245.233.17)                                                                                                                                           0.0%    13   33.8  30.8  29.1  34.8   1.8
 6. (waiting for reply)
 7. AS210848 31.43.191.142 (31.43.191.142)                                                                                                                                                          0.0%    13   30.3  30.7  30.1  32.3   0.7

Currently, the sole peer and uplink of AS210848 is AS202425 – a long-standing Dutch bulletproof ISP recently mentioned in another thread. Unfortunately, for ordinary (i.e. non LEA-) humans, there is nothing that can be done about this, aside from dropping all traffic from and to these networks.

UA is the country the owner of 31.43.191[.]0/24 appears to be based in, AZ is the country code allocated in the RIPE database to this network, but that is garbage, given that is neither physically hosted in AZ, nor related to this jurisdiction.

Thanks, and best regards,
Peter Müller

2 Likes